Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 21, 2024, 2:03 p.m.	Oct. 21, 2024, 2:05 p.m.

Size	2.8MB
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`43f595460b2fca77561c63e8a80178dd`
SHA256	`7dc50338d476cd0dfdfcf48dc7dbff682d6d04458c6ce2808f35779606576532`
CRC32	`E38E805A`
ssdeep	`49152:Ttx3zeCE99IyWGKUpZTGttu7FfdKRiIsA37SWje3b9VJMsdnee6GrhpIfI9umCzY:TrM9BpYttuBdK4FA3mWMbfN73r0fCulc`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

xmrig.exe "C:\Users\test22\AppData\Local\Temp\xmrig.exe"
1700

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 21, 2024, 1:55 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895 stacktrace+0x84 memdup-0x1af @ 0x749a0470 hook_in_monitor+0x45 lde-0x133 @ 0x749942ea New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x749b5ac4 RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x776e4138 xmrig+0xc19588 @ 0x140629588 xmrig+0xc19588 @ 0x140629588 xmrig+0x1000 @ 0x13fa11000 xmrig+0xc16b4c @ 0x140626b4c 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 0xbec2eac700000000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77710895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 3273976 registers.rsi: 5362487296 registers.r10: 3221225785 registers.rbx: 5375169928 registers.rsp: 3276072 registers.r11: 8796092882944 registers.r8: 64 registers.r9: 2004843552 registers.rdx: 3275320 registers.r12: 0 registers.rbp: 1996226560 registers.rdi: 5375273034 registers.rax: 3273656 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 21, 2024, 1:55 p.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895
stacktrace+0x84 memdup-0x1af @ 0x749a0470
hook_in_monitor+0x45 lde-0x133 @ 0x749942ea
New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x749b5ac4
RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x776e4138
xmrig+0xc19588 @ 0x140629588
xmrig+0xc19588 @ 0x140629588
xmrig+0x1000 @ 0x13fa11000
xmrig+0xc16b4c @ 0x140626b4c
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000
0xbec2eac700000000

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77710895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 3273976
registers.rsi: 5362487296
registers.r10: 3221225785
registers.rbx: 5375169928
registers.rsp: 3276072
registers.r11: 8796092882944
registers.r8: 64
registers.r9: 2004843552
registers.rdx: 3275320
registers.r12: 0
registers.rbp: 1996226560
registers.rdi: 5375273034
registers.rax: 3273656
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002d2200', u'virtual_address': u'0x0096a000', u'entropy': 7.999935860339307, u'name': u'UPX1', u'virtual_size': u'0x002d3000'}

entropy

7.99993586034

description

A section with a high entropy has been found

entropy

0.991589426708

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Riskware.Win32.XMRig.1!c
Skyhigh	BehavesLike.Win64.Suspicioustrojan.vc
ALYac	Trojan.GenericKD.74221182
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74221182
Sangfor	CoinMiner.Win64.Agent.Vzdk
CrowdStrike	win/grayware_confidence_90% (D)
BitDefender	Trojan.GenericKD.74221182
K7GW	Riskware ( 005622c31 )
K7AntiVirus	Riskware ( 005622c31 )
Arcabit	Trojan.Generic.D46C867E
VirIT	Trojan.Win64.Agent.HGV
Symantec	PUA.Gen.2
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win64/CoinMiner.NL potentially unwanted
Avast	Win64:CoinminerX-gen [Trj]
Kaspersky	not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.gen
Alibaba	RiskWare:Win64/Miners.23332ca8
NANO-Antivirus	Riskware.Win64.BtcMine.ksmeao
MicroWorld-eScan	Trojan.GenericKD.74221182
Rising	HackTool.CoinMiner!8.F154 (TFE:5:d6adNePEXuT)
Emsisoft	Trojan.GenericKD.74221182 (B)
DrWeb	Tool.BtcMine.2772
Zillya	Tool.BitCoinMiner.Win32.43602
TrendMicro	Coinminer.Win64.XMRIG.IB24
McAfeeD	Real Protect-LS!43F595460B2F
Trapmine	malicious.moderate.ml.score
CTX	exe.miner.xmrig
Sophos	XMRig Miner (PUA)
Ikarus	PUA.CoinMiner
FireEye	Trojan.GenericKD.74221182
Jiangmin	RiskTool.BitCoinMiner.avcl
Webroot	Bitcoinminer.Gen
Google	Detected
Antiy-AVL	RiskWare[RiskTool]/Win32.BitCoinMiner
Kingsoft	Win32.Troj.Undef.a
Gridinsoft	Trojan.Win64.XMRig.tr
Xcitium	ApplicUnwnt@#2xdbnb4nsbj8a
Microsoft	Trojan:Win64/CoinMiner.NB!MTB
ZoneAlarm	not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.gen
GData	Trojan.GenericKD.74221182
Varist	W64/Coinminer.BN.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R665781
McAfee	Artemis!43F595460B2F
DeepInstinct	MALICIOUS
Malwarebytes	RiskWare.CoinMiner.Generic
TrendMicro-HouseCall	Coinminer.Win64.XMRIG.IB24
Tencent	Malware.Win32.Gencirc.10c0406a
Yandex	Riskware.Agent!c8hWjG0qv4M
huorong	HackTool/CoinMiner.ab

xmrig.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All